It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.
Audit mandates MS SQL service accounts expiration: whats practice out there
Audit mandated we must enable password expiry for MS SQL accounts though we say they're service accounts:
from DBA: change cannot be implemented as it will expire service accounts
Set the 'CHECK_EXPIRATION' Option to ON for All SQL Authenticated Logins Within the Sysadmin Role
What's the practice out there?
Can we automate changing the password quarterly & yet not affect service accounts (which I assume
do not need to know the password)? One of them is nagios
Or set the accounts to non-interactive & how to do it for MS SQL?
from DBA: change cannot be implemented as it will expire service accounts
Set the 'CHECK_EXPIRATION' Option to ON for All SQL Authenticated Logins Within the Sysadmin Role
What's the practice out there?
Can we automate changing the password quarterly & yet not affect service accounts (which I assume
do not need to know the password)? One of them is nagios
Or set the accounts to non-interactive & how to do it for MS SQL?
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You can enforce password expiration quarterly and force the user to change password
https://www.mssqltips.com/sqlservertip/1088/sql-server-login-properties-to-enforce-password-policies-and-expiration/
https://www.mssqltips.com/sqlservertip/1088/sql-server-login-properties-to-enforce-password-policies-and-expiration/
Thanks, we're fully aware of what you've suggested but there are numerous
such service accounts which if the password are not changed (manually)
in time, will cause disruption ... too risky
such service accounts which if the password are not changed (manually)
in time, will cause disruption ... too risky
For new versions of MSSQL you can utilise "managed service accounts" to ensure automatic password management.
https://blogs.msdn.microsoft.com/markweberblog/2016/05/25/group-managed-service-accounts-gmsa-and-sql-server-2016/
https://blogs.msdn.microsoft.com/markweberblog/2016/05/25/group-managed-service-accounts-gmsa-and-sql-server-2016/
Is there such thing as 'non-interactive accounts for MS SQL'
that Windows have & in Unix, we set the SHELL to /bin/nologin?
that Windows have & in Unix, we set the SHELL to /bin/nologin?
On reading the full content of the link from Chris, noted:
"This implementation is done using Windows Server 2012 Active Directory domain controllers (DCs), all servers running Windows Server 2012 or Windows Server 2012 R2, and SQL Server 2016 CTP 3.2."
Just that we are still on Win2008 R2 AD (support expiring on Jan 2020) & we're
struggling to upgrade our AD to Win2016
"This implementation is done using Windows Server 2012 Active Directory domain controllers (DCs), all servers running Windows Server 2012 or Windows Server 2012 R2, and SQL Server 2016 CTP 3.2."
Just that we are still on Win2008 R2 AD (support expiring on Jan 2020) & we're
struggling to upgrade our AD to Win2016
Another remark from the link:
"Passwords are very complex and changed automatically as often as desired (by default every 30 days). ..
In addition, they cannot be used to interactively logon"
Is there any way in my MS SQL 2012 on Win 2008 R2 AD to make those service accounts "non-interactive";
it's fine if they don't expire periodically
"Passwords are very complex and changed automatically as often as desired (by default every 30 days). ..
In addition, they cannot be used to interactively logon"
Is there any way in my MS SQL 2012 on Win 2008 R2 AD to make those service accounts "non-interactive";
it's fine if they don't expire periodically
You could use group policy to prevent the accounts being used for interactive logins:
See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-locally
and
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services
See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-locally
and
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services
Premium Content
You need an Expert Office subscription to comment.Start Free Trial